What is autrace?

autrace is a command line utility that runs a program until it exits, just like strace; it adds the audit rules to trace a process and saves the audit information in /var/www/audit/audit.log file. For it to work (i.e before running the selected program), you must first delete all existing audit rules.

The syntax for using autrace is shown below, and it only accepts one option, -r which limits syscalls collected to ones required for assessing resource usage of the process:

# autrace -r program program-args

Attention: In the autrace man page, the syntax as follows, which is actually a documentation mistake. Because using this form, the program you run will assume you’re using one of its internal option thus resulting into an error or performing the default action enabled by the option.

# autrace program -r program-args

If you have any audit rules present, autrace shows the following error.

# autrace /usr/bin/df

autrace Error

First delete all the auditd rules with the following command.

# auditctl -D

Then proceed to run autrace with your target program. In this example, we are tracing the execution of df command, which shows filesystem usage.

# autrace /usr/bin/df -h

Trace df Command

From the screenshot above, you can find all the log entries to do with the trace, from the audit log file using ausearch utility as follows.

# ausearch -i -p 2678

Where the option:

-i – enables interpreting of numeric values into text.

-p – passes the process ID to be searched.

Audit Report of df Command

To generate a report about the trace details, you can build a command line of ausearch and aureport like this.

# ausearch -p 2678 --raw | aureport -i -f

Where:

--raw – tells ausearch to deliver raw input to aureport.

-f – enables reporting about files and af_unix sockets.

-i – allows interpreting of numeric values into text.

Generate Trace Report of df Command

And using the command below, we are limiting the syscalls gathered to ones needed for analyzing resource usage of the df process.

# autrace -r /usr/bin/df -h

Assuming you have autraced a program for the last one week; meaning there is a lot of information dumped in the audit logs. To produce a report for only today’s records, use the -ts ausearch flag to specify the start date/time for searching:

# ausearch -ts today -p 2678 --raw | aureport -i -f

Generate Trace Report based on Time

That’s it! this way you can trace and audit specific Linux process using autrace tool, for more information check man pages.

That’s all for now! You can ask any questions or share thoughts about this article via the comment from below. In the next article, we will describe how to configure PAM (Pluggable Authentication Module) for auditing of TTY input for specified users CentOS/RHEL.

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.